Bug#496362: marked as done (The possibility of attack with the help of symlinks in some Debian packages)

[Debian Bug Tracking System]

Your message dated Tue, 26 Aug 2008 21:02:13 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#496362: fixed in dtc 0.29.10-1
has caused the Debian Bug report #496362,
regarding The possibility of attack with the help of symlinks in some Debian 
packages
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
496362: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496362
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: dtc-common
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh

--- End Message ---

--- Begin Message ---

Source: dtc
Source-Version: 0.29.10-1

We believe that the bug you reported is fixed in the latest version of
dtc, which is due to be installed in the Debian FTP archive:

dtc-common_0.29.10-1_all.deb
  to pool/main/d/dtc/dtc-common_0.29.10-1_all.deb
dtc-core_0.29.10-1_all.deb
  to pool/main/d/dtc/dtc-core_0.29.10-1_all.deb
dtc-cyrus_0.29.10-1_all.deb
  to pool/main/d/dtc/dtc-cyrus_0.29.10-1_all.deb
dtc-postfix-courier_0.29.10-1_all.deb
  to pool/main/d/dtc/dtc-postfix-courier_0.29.10-1_all.deb
dtc-stats-daemon_0.29.10-1_all.deb
  to pool/main/d/dtc/dtc-stats-daemon_0.29.10-1_all.deb
dtc-toaster_0.29.10-1_all.deb
  to pool/main/d/dtc/dtc-toaster_0.29.10-1_all.deb
dtc_0.29.10-1.diff.gz
  to pool/main/d/dtc/dtc_0.29.10-1.diff.gz
dtc_0.29.10-1.dsc
  to pool/main/d/dtc/dtc_0.29.10-1.dsc
dtc_0.29.10.orig.tar.gz
  to pool/main/d/dtc/dtc_0.29.10.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <[EMAIL PROTECTED]> (supplier of updated dtc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 26 Aug 2008 05:07:11 +0800
Source: dtc
Binary: dtc-common dtc-core dtc-cyrus dtc-postfix-courier dtc-stats-daemon 
dtc-toaster
Architecture: source all
Version: 0.29.10-1
Distribution: unstable
Urgency: low
Maintainer: Thomas Goirand <[EMAIL PROTECTED]>
Changed-By: Thomas Goirand <[EMAIL PROTECTED]>
Description: 
 dtc-common - web control panel for admin and accounting hosting services (comm
 dtc-core   - web control panel for admin and accounting hosting services (fewe
 dtc-cyrus  - web control panel for admin and accounting hosting services (cyru
 dtc-postfix-courier - web control panel for admin and accounting hosting 
services (more
 dtc-stats-daemon - dtc-xen VM statistics for the dtc web control panel
 dtc-toaster - web control panel for admin and accounting hosting services (meta
Closes: 496362
Changes: 
 dtc (0.29.10-1) unstable; urgency=low
 .
   * New upstream release with corrections for Lenny, backported from the master
     branch of the Git, to add corrections and not features as follow:
     - Big problem with the pending payment thing that was setting things as
     validated when they were in fact just pending.
     - the CPU rrd data collection (the rrd call was commented out)
     - the setup of the default index.php & 404 subdomain files
     - sa-wrapper symlink attack vulnerability fix (Closes: #496362)
     - removed the paylog.txt logging
     - [v0.29.8] phpmyadmin blowfish_secret owner change
     - [v0.29.8] Cleaning the spam folder with -mtime instead of -atime
     - [v0.29.8] Added a full Simplified Chinese translation by Wei Cao
     <[EMAIL PROTECTED]>, including debconf and the software itself
     - [v0.29.8] Removed the "limit 1" when setting the id_client to zero
     when deleting an admin.
     - [v0.29.8] Solved the mysql users & db deletion bug when deleting an
     admin, removed the old mysql manager code that was remaining.
     - [v0.29.8] Needed a global $pro_mysql_pop_table in the spam folder
     cleanup
     - [v0.29.8] Removed a bug when there is no install log at all that was
     preventing the VPS install tab to be displayed
     - [v0.29.8] Some global variables for the vps table names where missing
     in deleteVPS()
     - [v0.29.8] The cron job needed to be modified for gen_named='yes',
     reload_named='yes' when modifying the wildcard DNS thing.
     - [v0.29.8] A Tags: was still there in debian/control, it's now removed.
Checksums-Sha1: 
 d23c5773f8d120bbbbd504199692c6ea6b66937e 1214 dtc_0.29.10-1.dsc
 f3038648a34d7d0be036bdf6d9db3ad7aaea5a03 11045527 dtc_0.29.10.orig.tar.gz
 248837e5c146fb5841a2983d15e83d9889c0cc3d 75665 dtc_0.29.10-1.diff.gz
 ede51edbaf2007e8ea18d7a2b60025916e765df0 5035238 dtc-common_0.29.10-1_all.deb
 dcc1eef1f3ce3dc3a8d5348646d7a34a36dc4df6 68440 dtc-core_0.29.10-1_all.deb
 e4dcff497046cf0e594beee53b2a13d9a9395b03 68524 dtc-cyrus_0.29.10-1_all.deb
 84e5065a7de4f9ab6aa3f043308f4ab6cadb7066 69896 
dtc-postfix-courier_0.29.10-1_all.deb
 a9107ba009a9a5e75e8afe2eff8dedd415d0f523 30160 
dtc-stats-daemon_0.29.10-1_all.deb
 c26d1361240766fdf0ee44d895bf6667a5704262 24308 dtc-toaster_0.29.10-1_all.deb
Checksums-Sha256: 
 2dc647f30ee6e96dc5587c054633000e0cdde3359aaa01e87a8255364f2eb68a 1214 
dtc_0.29.10-1.dsc
 856b72ed9ecedf368534a972951edbce43e91481679602ca77cbfeb9ab15d32e 11045527 
dtc_0.29.10.orig.tar.gz
 6150e3d95dff0d7d01409cfeae3ff0aae7557efa35edc6df43629cfde9150083 75665 
dtc_0.29.10-1.diff.gz
 b366407fa8d4045f56dfd194872a1c54395aae351325a1d952473362fc3ea3f9 5035238 
dtc-common_0.29.10-1_all.deb
 72efe7229e94caaa5f239e60145357ffdbc647d5552a262caf2a7952c5fa4f5e 68440 
dtc-core_0.29.10-1_all.deb
 785c623a27aed24ffb2c89ca820b55c4d3246d13cdf7952df78cbf9f2edd1290 68524 
dtc-cyrus_0.29.10-1_all.deb
 e5ddfaff33280dbb581226382fb50fea362f69c5720a9e539fd66540574ee796 69896 
dtc-postfix-courier_0.29.10-1_all.deb
 e507595ff209aabb8e0eb09ad0ad89bc33f85d3c1887543c1f61fed9bc719bff 30160 
dtc-stats-daemon_0.29.10-1_all.deb
 9fbeb9645e9fa596039f63fb51687a43218163d475055a64204b73dded247451 24308 
dtc-toaster_0.29.10-1_all.deb
Files: 
 a9bb154e4631d26c86ef0b773c376459 1214 admin extra dtc_0.29.10-1.dsc
 c3231b30bfe3473a9e2d140851fb463b 11045527 admin extra dtc_0.29.10.orig.tar.gz
 32b6698363c1f8f82408d18831814274 75665 admin extra dtc_0.29.10-1.diff.gz
 d90395a448f54f4a4fc9928d92879df0 5035238 admin extra 
dtc-common_0.29.10-1_all.deb
 08eab02caa37a80f7393e9d1c61c094f 68440 admin extra dtc-core_0.29.10-1_all.deb
 817d47cf465463a26186b178e5d89e61 68524 admin extra dtc-cyrus_0.29.10-1_all.deb
 9bc6147920aa7204bcfcd86ebf57f998 69896 admin extra 
dtc-postfix-courier_0.29.10-1_all.deb
 95cb01709837cd7546258fda4fd807cf 30160 admin extra 
dtc-stats-daemon_0.29.10-1_all.deb
 d81eaae99a816bcde70762579fc56eb0 24308 admin extra 
dtc-toaster_0.29.10-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFItGkV5SXWIKfIlGQRAg5nAKDE4tDZvIPwGqDce73yL3IWrLC0QQCgokFX
B++vckTraAyoEhLnf1zFllM=
=YFdp
-----END PGP SIGNATURE-----

--- End Message ---